With the ‘Harry2’ story recently hitting the headlines, we ask, how far do Schools really need to take data protection?

Newhey Community Primary School have branded Harry Szlatoszlavek with a number 2 as his surname, so they can differentiate between him and another boy with the same first name.

The Rochdale based Primary School says they are complying to data protection regulations by not including surnames on notebooks, just in case they are taken out of the classroom.

Harry Szlatoszlavek’s mum Tanya had contacted the Information Commissioners Office and been informed this policy is not necessary.

Tanya strongly believes the School are taking away Harry’s own identity by branding him ‘Harry2’, she said ‘he even received a Christmas card saying ‘Harry2 from Jack2’

With this recent story, we thought it worth considering how far Schools need to go with compliance

The GDPR is a large piece of legislation which many find overwhelming. Schools have to deal with hundreds, sometimes thousands of students and their personal data.

We have outlined below some ‘GDPR Myths’ and the true situations;

  • All data breaches must be reported to the ICO

Truth: If a breach is likely to result in a risk to people’s rights and freedoms then it must be reported to the ICO within 72 hours. Not all breaches need to be reported and this decision ultimately lies with your Data Protection Officer to make the judgement as to report the breach or not.

  • Personal data can’t be processed without consent

Truth: Most of the personal data processed by schools and colleges is done on the basis of performing a public task, or under a contract. Consent is only really used where the data is not obligatory. Good examples are the consent to use photographs and giving information about ethnic origin.

  • All student records must be deleted once they have left the School

Truth: When a student moves school, it is a legal requirement that their main pupil file move with them, this applies to transfers between schools as well as the transition between primary and secondary school. Schools can keep information about the registration of pupils.

  • It is against data protection regulations to take photos of students

Truth: The key word we always need to consider here is “necessary”. If you need photos to demonstrate a pupils’ progress, for example, this can be considered necessary. A photo to be used on a Management Information System is a standard requirement. In other circumstances you may need to gain consent to use photos. Providing you have considered your justification, there is no prohibition on using photos.

  • No surnames should be on any documentation which could be removed from the school premises

Truth: This comes back to the same question of something being necessary. If you have 20 children in a school called Emily, then a surname will be essential to differentiate between them. The GDPR is interested in ensuring that data is protected appropriately when it is being used, not trying to determine how is can be used.


If you are unsure on how to be fully compliant with the GDPR, please feel free to get in touch with our Education GDPR specialists here.